Problem solveGet help with specific problems with your technologies, process and projects.

Open source security in a Windows enterprise

Open source security products provide a low-cost and, often, highly effective option for enterprises, so why are many of us reluctant to adopt them? Contributor Tony Bradley takes a look at why that is so and how these decisions could affect the open source community.

There are a number of open source software programs available to help maintain, administer and secure virtually any aspect of a computer network. In fact, open source products are often perceived to be the best in their class and set the bar for commercial products.

Open source refers to a program in which the source code is available for free to the general public. Unlike commercial software, which is governed by EULAs (end-user licensing agreements) and where users must rely on the vendor to modify and upgrade the software, open source software can be modified or improved by the user.

Ideally, this environment of openly sharing and modifying programs will result in superior products. The collaborative effort of programmers around the world can create powerful new features and help work out the bugs to create a more stable and secure software than might be created by even the best commercial software developers.

Using open source in an enterprise Open source software is free. Compared with commercial products, which can cost thousands or even tens of thousands of dollars to implement and may require an ongoing investment to maintain licensing, the price is certainly right. So, why don't more enterprise network administrators rely on open source software to maintain and protect the network?

When it comes to computer and network security, open source products have blazed new paths and established themselves as leaders of their respective classes. Names like Ethereal (a packet sniffer or protocol analyzer), Snort (an intrusion detection system) and Nessus (a vulnerability scanner) are considered to be the some of the best at what they do, yet corporations are reluctant to use them and instead invest tons of money in proprietary commercial solutions.

There are two primary reasons for the corporate resistance to open source tools, particularly for network security products. The first is the perception that having the entire program code available to everyone might make it easier for hackers to find weaknesses and engineer attacks that can exploit the product being used. Certainly, being able to analyze the source code is easier for an attacker looking for holes. But the good guys can also analyze the source code to identify and fix the flaws preemptively, and when they encounter exploits, the open source community is generally faster at developing patches to address the problem than their commercial counterparts.

The second reason -- and, arguably, the bigger reason that companies are resistant to open source solutions -- is the lack of a target to hold culpable when things go awry. Companies like to have the support and backing of a vendor that they can call to help train them and troubleshoot problems, as well as take the blame when things go wrong. Deploying open source products means not having anyone to point fingers at.

While that may be true, if a company were to invest a fraction of the money it uses to purchase commercial products and support into training its administrators and developers to properly use open source tools, the company would have an in-house team of individuals who can train and troubleshoot the products themselves. Or, take the heat when something goes wrong. Most successful open source products also have tremendous support available from programmers around the world on forums and message boards.

Failure of the open source model Recently, Tenable Network Security announced that the next version of the Nessus vulnerability scanner will no longer be distributed as open source. That same week, Check Point Software Technologies Ltd. announced the purchase of Sourcefire Inc., makers of the open source IDS Snort, but promised to maintain it as an open source product. Oracle Corp. recently bought Innobase, developers of the popular open source database program InnoDB. These moves concern backers of the open source model and lead to questions about whether open source is a viable business model.

Renaud Deraison, chief technical officer of Tenable Network Security Inc. and creator of Nessus, cited a lack of support from the open source community. He pointed to increasing use of the freely available tool for monetary gain by companies using Nessus as the core of their security appliances when asked why they are moving away from the GPL (General Public License) model. Essentially, Deraison and Tenable Network Security were putting in all of the effort to improve and evolve the product while other companies were reaping the rewards.

I believe this is an isolated incident, but it highlights the fact that open source software relies on the open source community. The failure of the community to collaborate and contribute can lead a developer to close the source or it may even lead to the death of the product completely.

Next week I will take a look at some of the best open source Windows security products available.

About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.